1879N/A * Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved. 133N/A * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 133N/A * This code is free software; you can redistribute it and/or modify it 133N/A * under the terms of the GNU General Public License version 2 only, as 133N/A * published by the Free Software Foundation. Oracle designates this 133N/A * particular file as subject to the "Classpath" exception as provided 133N/A * by Oracle in the LICENSE file that accompanied this code. 133N/A * This code is distributed in the hope that it will be useful, but WITHOUT 133N/A * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 133N/A * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 133N/A * version 2 for more details (a copy is included in the LICENSE file that 133N/A * accompanied this code). 133N/A * You should have received a copy of the GNU General Public License version 133N/A * 2 along with this work; if not, write to the Free Software Foundation, 1472N/A * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 1472N/A * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 133N/A * or visit www.oracle.com if you need additional information or have any 133N/A * Implements the GSSAPI SASL server mechanism for Kerberos V5. 133N/A * Expects thread's Subject to contain server's Kerberos credentials 133N/A * - If not, underlying KRB5 mech will attempt to acquire Kerberos creds 133N/A * by logging into Kerberos (via default TextCallbackHandler). 133N/A * - These creds will be used for exchange with client. 133N/A * authorized ID to be the canonicalized authzid (if applicable). 133N/A * Environment properties that affect behavior of implementation: 133N/A * javax.security.sasl.qop 133N/A * - quality of protection; list of auth, auth-int, auth-conf; default is "auth" 133N/A * javax.security.sasl.maxbuf 133N/A * - max receive buffer size; default is 65536 133N/A * javax.security.sasl.sendmaxbuffer 133N/A * - max send buffer size; default is 65536; (min with client max recv size) 133N/A * Creates a SASL mechanism with server credentials that it needs 133N/A // Create the name for the requested service entity for Krb5 mech 133N/A // Create a context using the server's credentials 133N/A // Might need integrity 133N/A * Processes the response data. 133N/A * The client sends response data to which the server must 133N/A * process using GSS_accept_sec_context. 133N/A * As per RFC 2222, the GSS authenication completes (GSS_S_COMPLETE) 133N/A * we do an extra hand shake to determine the negotiated security protection 133N/A * @param responseData A non-null but possible empty byte array containing the 133N/A * response data from the client. 133N/A * @return A non-null byte array containing the challenge to be 133N/A * sent to the client, or null when no more data is to be sent. 133N/A "SASL authentication already complete");
133N/A // Security context not established yet; continue with accept 133N/A // Security context already established. responseData 133N/A // should contain no data 133N/A "Handshake expecting no response data from server");
133N/A // Construct 4 octets of data: 133N/A // First octet contains bitmask specifying protections supported 133N/A // 2nd-4th octets contains max receive buffer of server 133N/A "KRB5SRV06:Supported protections: {0}; recv max buf size: {1}",
// Expecting 4 octets from client selected protection // and client's receive buffer size // First octet is a bit-mask specifying the selected protection throw new SaslException(
"Client selected unsupported protection: " // 2nd-4th octets specifies maximum buffer size expected by // client (in network byte order). This is the server's send // Determine the max send buffer size based on what the // client is able to receive and our specified max // Update context to limit size of returned buffer "KRB5SRV10:Selected protection: {0}; privacy: {1}; integrity: {2}",
"KRB5SRV11:Client max recv size: {0}; server max send size: {1}; rawSendSize: {2}",
// Get authorization identity, if any // In Kerberos, realm is embedded in peer name " is not authorized to connect as " +
authzid);